Spring Cleaning: Compliance Checklist – Updates to WCAG & PCI

Being an online merchant is a complicated business these days. Regulators, consumer advocates and customers alike want to know what you do with consumer data, how you protect credit card information, and if your website is accessible to all people, regardless of their level of physical ability.

Most online merchants have a checklist they rely on to ensure compliance PCI DSS and WCAG requirements. What many might not realize is these requirements continue to evolve, which means that checklist you used in the past is out of date. It’s critical to review the requirements on an annual basis to ensure you don’t fall out of compliance.

For this reason, we at Something Digital recommend online retailers go beyond compliance checklists and create a culture of compliance. In other words, WCAG accessibility shouldn’t be limited to website functionality. It should be a program and an ethos that makes it it impossible for your organization to release inaccessible content. When Something Digital creates and builds websites for our clients, our designers ensure that the supporting guidelines for WCAG principles — perceivable, operable, understandable, robust — are fully met. We design to the WCAG AA standard as a matter of course.

And the same goes for PCI DSS. A commitment to security should exceed PCI compliance, to create an ethos of security mindfulness among all employees, coupled with a wide range of security exercises, such as quarterly network security audits.

For reasons described in this blog post, compliance should be top of mind, as well as formally reviewed every year.

New Privacy Standards

No doubt you’ve heard of GDPR, EU’s response to consumer outcry over the collection, selling and sharing of their personal data. To guarantee consumer privacy, the law covers all personal data, as well as any data that can be used to determine a person’s identity, including cookies. GDPR doesn’t outlaw the use of cookies, it simply requires websites to get explicit consumer consent in order to use them, to explain how those cookies will be used, as well as provide a mechanism for consumers to opt out of cookie use. GDPR covers all citizens who live within the EU, which means if you sell to customers in an EU country, you must take steps to protect their data by complying with GDPR standards.

Businesses that fail to comply with GDPR are subject to steep fines. Earlier this year, France’s data protection regulator, CNIL, fined Google €50 million (around $56.8 million) for failing to comply with its GDPR obligations.

Even if you don’t sell to EU citizens, you’ll still need to contend with emerging privacy regulations. For instance, California passed its Consumer Privacy Act last summer, which requires all businesses that collect consumer data to explain the purpose for doing do, the categories of data collected, and a description of their rights under the Act. Moreover, it requires a clear and conspicuous opt-out option that must include the phrase: “Do Not Sell my Personal Information.” If you sell to consumers in California you must comply with the Act.

And that’s just the beginning, at least 10 other states have introduced privacy laws similar to GDPR. Not surprisingly, the Interactive Advertising Board (IAB) sent a letter to the Senate Commerce Committee last November, requesting “A uniform federal privacy standard could provide clarity, market certainty, and add fuel to future innovation, while preserving the value and benefit that online advertising brings to the internet ecosystem.”

Clearly consumer privacy is a huge, complex and growing issue, one that all website owners will need to monitor closely.

PCI DSS 3.2.1

We recommend that every online seller update their PCI DSS checklist every year for the very good reason that the PCI are updated fairly regularly. PCI 3.2.1, and the update to PCI 3.2.1, went into effect at the first of the year. Fortunately, all of the changes are clarifications, not modifications, to the actual requirements. The PCI Council’s intent behind the update is to ensure that “concise wording in the standard portrays the desired intent of requirements.”

For instance, 3.2.1 removed the effective dates of some requirements, such as SSL, as many merchants couldn’t meet them due to their own vendors slow adoption rate.

Although PCI 3.2.1 is relatively minor, it does serve to illustrate the importance regularly checking for updates. If you rely on the same checklist you’ve used in years past, your company may miss an important gap in security.

WCAG 2.1

Title III of the Americans with Disabilities Act (ADA) requires that businesses help disabled people access the same services as able-bodied people, including services offered via a website. Beyond compliance, making your site accessible to disabled people makes good economic sense. According to the Department of Justice, there are 51.2 million people with disabilities in the United States, all of whom may be potential customers for businesses that are accessible to people with disabilities.

WCAG is a set of standards for creating websites that fully accessible to people with a range of disabilities, a topic that Something Digital has written extensively about, and built into our SDK Accelerator.

Last June, WCAG issued WCAG 2.1, which offers guidance on mobile web accessibility, an important component of AA-level compliance. For instance, one of the new criteria requires apps to rotate and reorient so that people can easily use the the app without rotating their devices. As the guidance of WCAG 2.1 points out, some people, such as those with cerebral palsy, might not be able to rotate their tablet, so mobile apps should work well with horizontal and vertical orientations.

Another new requirement is allowing for reflow. The idea behind reflow is to allow people to see all of the information or access all of the functionality without scrolling in two dimensionsexcept for parts of the content which require two-dimensional layout for usage or meaning. In other words, a user shouldn’t need to scroll horizontal and vertically in order to read or use some type of functionality.

I’m not even touching on state tax in the blog post, but you can be sure that thanks to the Supreme Court’s ruling in South Dakota vs. Wayfair, more states are likely to require state tax for online sales. I wouldn’t be surprised if the tax nexus goes away entirely.

Seek Partnerships

We don’t recommend people go it alone when it comes to compliance. There are a lot of good companies that can help you ensure that you’ve covered all of your compliance basis. For instance, we partner with Siteimprove to help us manage accessibility, Vertex to help manage tax complexity, and Trustwave for PCI compliance.